The recent cyberattack on MGM Resorts International has raised serious concerns about the security of sensitive data and the vulnerabilities organizations face in today\u2019s digital landscape. In this blog post, we will dive into the details of the attack based on the information currently available, analyze its root causes and discuss key takeaways to help organizations strengthen their security posture.\n\nMGM attack: what we know (thus far)\n\nAllegedly, a criminal gang made up of U.S. and U.K.-based individuals that cybersecurity experts call Scattered Spider (aka Roasted 0ktapus, UNC3944 or Storm-0875) initiated a social engineering attack that led to the near shutdown of MGM Resorts International. MGM Resorts International is a global hospitality and entertainment company, with a portfolio of 29 hotel and resort properties, including iconic brands like Bellagio, MGM Grand and Mandalay Bay.\n\n(Did you attend Black Hat at the Mandalay Convention Center this year? Yes, this could directly affect you.)\n\nA social engineering attack allowed the threat actor to burrow into the MGM environment and establish a foothold. Due to the common mistake of password reuse, CyberArk Labs \u2013 as well as many experts in the cybersecurity community \u2013 are currently under the impression that the attackers had usernames and passwords from previous data breaches. With additional information collected from a high-value user\u2019s LinkedIn profile, they hoped to dupe the helpdesk into resetting the user\u2019s multi-factor authentication (MFA). They were successful.\n\nBased on available information, as it currently stands, threat actors also were observed creating persistence in MGM\u2019s network by configuring an entirely additional Identity Provider (IdP) in the Okta tenant using a feature called \u201cinbound federation.\u201d The function is intended to allow the fast connection of different Okta tenants during mergers of companies. In this case, though, the threat actors used it to increase their control of the victim\u2019s networks. (As we say in the industry, \u201cIt\u2019s not a bug; it\u2019s a feature!\u201d)\n\nIt also appears that the attackers gained control not only of Okta but also of the Microsoft Azure cloud environment. This already jeopardized the applications managed by the IAM platform, but now all their cloud assets were also in danger.\n\nOur threat actors were eventually discovered. MGM\u2019s incident response team began by terminating the Okta sync servers, where Scattered Spider had deployed some additional credential harvesting techniques. This ultimately resulted in the complete termination of the Okta platform and the threat actors\u2019 access initial access. However, the damage had been done. The threat actors had already exfiltrated unknown terabytes of data and still had access to the cloud platform. It was time to make their presence known.\n\nThis was when the BlackCat\/ALPHV ransomware group was called in. Using this RaaS service, Scattered Spider encrypted several hundred of their ESXi servers, which hosted thousands of VMs supporting hundreds of systems widely used in the hospitality industry. This caused cascading chaos. As the ESXi hosts became encrypted one after another, the applications running on them crashed \u2026 one after another \u2026 after another. Hotel room keys no longer worked. Dinner reservation systems were down. Point-of-sale systems were unable to take payments. Guests were unable to check in or out. Slot machines were completely unavailable. At this point, MGM was hemorrhaging money \u2013 and potentially its credibility.\n\nOnce the threat actors acquired their initial foothold, they could begin to escalate their privileges. They ultimately acquired the privileged access to the accounts running the IAM infrastructure. This allowed them significant access to the MGM network.\n\nWhat made this attack worse than if MGM\u2019s Okta environment and the applications connected to it had only been compromised, was that the IdP solution granted highly privileged access to Azure, which ultimately allowed the cloud-originated attack into MGM\u2019s brick-and-mortar operations. Scattered Spider deployed BlackCat\/ALPHV ransomware, which encrypted several hundred of their ESXi virtual machine infrastructure. This severely impacted MGM\u2019s operations.\n\nThe full extent of what systems were compromised and what data was leaked is still unknown. Still, gaming industry analyst David Katz says that MGM Resorts is losing as much as $8.4 million in revenue every day until it fixes the problems caused by the ongoing cyberattack. There is still so much to this story that we won\u2019t know the full extent of the damage for quite some time.\n\nCyberArk Labs\u2019 critical initial takeaways from the MGM attack\n\nAlthough it\u2019s still too early to definitively say what exactly happened in the MGM attack, the following initial assessments from our team are as relevant now as they\u2019ll be once the dust settles:\n\nLessons learned and mitigation strategies\n\nTo strengthen security measures and mitigate similar attacks, organizations should consider the following strategies:\n\n1. Contain impact\n\nMinimizing exposure of privileged accounts is vital in mitigating phishing attempts. IT administrators should use privileged access management (PAM) solutions, reducing the risk of compromise through attacks (including vishing). Organizations should also consider implementing zero standing privilege (ZSP) where applicable.\n\nWe like to say, \u201cIt\u2019s hard to hack a credential when it literally doesn\u2019t exist.\u201d While internal or external compromises may still occur, this contains the attack to a dedicated endpoint, which can help minimize exposure and assist with incident response.\n\n2. Improve MFA control\n\nCreating visibility into MFA device changes is essential. Implementing specific logs for customers to monitor in their security information and event management (SIEM) systems can help detect and respond to unusual authentication activities. Additionally, implementing a dual control feature can enhance security by requiring multiple authorizations for critical actions.\n\n3. Protect Tier 0 assets\n\nTier 0 assets must be protected, including signing keys and access to critical infrastructure. Implementing endpoint privilege security on federation servers can help safeguard signing keys from credential theft attempts. Furthermore, preventing unauthorized access to Tier 0 assets by limiting access to proxies along with dual controls is crucial.\n\n4. Adopt IdP best practices:\n\nFinal thoughts (for now)\n\nA series of mistakes ultimately led to one of the most visible and brand-damaging attacks in years. To mitigate similar attacks, organizations should focus on minimizing the exposure of privileged accounts, implementing strong authentication measures such as MFA, protecting Tier 0 assets, monitoring trust changes and staying updated on evolving cyber threats. It\u2019s a lot to do, but it\u2019s crucial for organizations to continuously improve their security measures and follow best practices to protect themselves in today\u2019s digital landscape.\n\nTo enhance your security posture, watch this informative webinar and fortify your defenses against cyberthreats.\n\nAndy Thompson is CyberArk Labs\u2019 Offensive Research Evangelist.